Description The plugin has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as wp-config.php
1) Create new post with this shortcode - [ffmwp]
2) Go to new post and upload any file
3) After that go to main page of plugin for users http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files
4) Click to "Edit" button
5) Change wpfm_dir_path and wpfm_file_url to /var/www/html/wordpress/wp-config.php
6) Go back to the main page http://your_site/wordpress/wp-admin/edit.php?post_type=wpfm-files and click "Download"